{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-9961","assignerOrgId":"f23511db-6c3e-4e32-a477-6aa17d310630","state":"PUBLISHED","assignerShortName":"TPLink","dateReserved":"2025-09-03T17:19:40.584Z","datePublished":"2025-09-06T06:50:59.558Z","dateUpdated":"2026-02-26T17:49:11.572Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"AX10 V1/V1.2/V2/V2.6/V3/V3.6","vendor":"TP-Link Systems Inc.","versions":[{"lessThan":"1.2.1","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6","vendor":"TP-Link Systems Inc.","versions":[{"lessThan":"1.3.11","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.&nbsp;</div><div>The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.&nbsp;</div><div>This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.</div>"}],"value":"An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500. \n\nThe exploit can only be conducted via a Man-In-The-Middle (MITM) attack. \n\nThis issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.6,"baseSeverity":"HIGH","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-120","description":"CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f23511db-6c3e-4e32-a477-6aa17d310630","shortName":"TPLink","dateUpdated":"2025-09-06T06:50:59.558Z"},"references":[{"url":"https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679"},{"tags":["vendor-advisory"],"url":"https://www.tp-link.com/us/support/faq/4647/"},{"tags":["patch"],"url":"https://www.tp-link.com/us/support/download/archer-ax10/"},{"tags":["patch"],"url":"https://www.tp-link.com/us/support/download/archer-ax1500/"}],"source":{"discovery":"UNKNOWN"},"title":"Authenticated RCE by CWMP binary","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-9961","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-09-09T03:55:19.533182Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:49:11.572Z"}}]}}